Less than three weeks ago, Adobe released a critical security update for its Flash Player plug-in fixing an exploit that allowed machines to be accessed remotely by attackers.

Yet another security update is out today (and strongly recommended). The new build (Version 12.0.0.70) intends to address a vulnerability that allowed attackers to target at least three nonprofit websites according to security firm FireEye and reported by ArsTechnica…

Sony A6500

From FireEye:

This threat actor clearly seeks out and compromises websites of organizations related to international security policy, defense topics, and other non-profit sociocultural issues. The actor either maintains persistence on these sites for extended periods of time or is able to re-compromise them periodically.

This actor also has early access to a number of zero-day exploits, including Flash and Java, and deploys a variety of malware families on compromised systems. Based on these and other observations, we conclude that this actor has the tradecraft abilities and resources to remain a credible threat in at least the mid-term.

OS X users can prompt the update to initiate in the System Preferences app, and the update is available from Adobe’s site here. Adobe also offers an uninstaller to remove Adobe Flash completely.

I just wish I could just remove it, but the internet didn’t follow up that closely. My recommendation would be to minimise Flash use. The ClickToFlash Safari extension disables all Flash until you click it, but most important: if the extension finds a video source URL (on YouTube and many others), it uses Safari’s native player (also used for HTML5 video elements) without a trace of that proprietary, buggy, and slow software called “Flash” (or video ads for that matter).

I don’t agree on the “rocks in their head thing” though: Flash is necessary for a “full experience,” i.e. for not being thrown out off a website by a stubborn and/or lazy web developer (or their managers).